tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 14:41:27 GMT
yeah - you'd get that users session. Same problem with cookie hijacking.

Use https.

There is nothing defined by the spec to prevent this. (Except https)


Marc Hughes wrote:
> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
> when url session tracking is being used?  For instance, if someone posts 
> a url to a website with the tracking info in it, will anyone clicking on 
> that link pick up the original user's session (assuming it didn't time 
> out yet)?  If it does prevent this, how?
> If anyone knows of any articles about keeping sessions safe, I'd love to 
> get pointed to those.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message